Schools are tasked with adhering to COVID-19 protocols, and this means screenings—adding sensitive student and staff health data to the mix

Are you protecting health data amid COVID-19 testing and tracking?

Schools are tasked with adhering to COVID-19 protocols, and this means screenings—adding sensitive student and staff health data to the mix

You need to reopen your doors, so you need to perform health checks, as well as COVID-19 testing and tracking. It’s understandable that you may have either purchased a device for your school or been given one to install from your district without first undergoing a complete risk assessment.

But these screening devices are largely unproven. Many of them have emerged very recently from vendors that are neither widely known nor trusted. Furthermore, many of them use facial recognition so the technology can connect the dots between the temperatures they’ve taken and whose temperature it is. Do you know how, where, or if that data then gets stored? Whether you have a handheld screening device that looks like a modified cell phone or one that looks like a tablet, you need to understand the associated risks and configure the technology securely.

You’re now handling health data

You’ve always had to manage and protect student data, but as soon as you pull the trigger on a temperature scanner, you’re dealing with sensitive health information. Some people dismiss temperature data as “just a temperature,” but the reality is that this is health data – and it needs to be treated differently than general student records. When you’re handling health data, the complexity and sensitivity is increased significantly.

A lot of COVID-19 testing and tracking devices have a server component to them, so the device sends data to a centralized server system where it’s captured and used for reporting. If someone scans hot, a notification may go out. That notification is then sharing health data. Additionally, many technologies are working to help record contact tracing. This, of course, is another layer of sensitive data, this time about the comings and goings of individuals.

So, consider where the personal information captured by these devices goes. Is it being used by the vendor for purposes aside from COVID-19 testing and tracking? Odds are good that it is (or eventually will be). Also, is it part of your network? If so, there’s a possibility that a cybercriminal could access the network – and all the data. There has been an increase in attacks on COVID-19 testing centers, vaccine development facilities, etc. so it’s not a stretch to imagine this type of data being a target within your own walls.

Assess risk & make plans

If your data, school, or district does get compromised and your screening technology is taken offline, what’s your backup plan? Do you have one? If not, take the time to think through all possible outcomes and what your next moves will be. Whether it’s because of cybercriminals or simply because the technology fails (as all tech does eventually), having contingency processes in place will increase your speed of response and level of security.

For example, if your device fails, will you use a handheld thermometer and record students’ names and temperatures manually? If so, how will you keep that information secure? Or, will you close the building and send kids home? Whatever scenario keeps your students, staff and data safest needs to be properly mapped out in the event it needs to be followed.

If you haven’t yet purchased and implemented a COVID-19 testing and tracking device, first perform a proper risk assessment on both the technology itself and the vendor. Make sure you understand how the device works, what data it’s capturing, where it’s being stored and how that data will be used today or in the future. Then, take steps to deploy it securely. It should be isolated to its own network or segmented to a virtual LAN. You don’t want any unproven, untested technology on your main network or your risks increase dramatically.

If you’ve already purchased and even begun using such a device, retroactively execute a risk assessment – as soon as possible. Then go through the same steps above. You may need to undo and redo its initial configuration in order to make sure it’s secure and on its own network, but it’s worth the time and energy. After all, you don’t get second chances with protecting sensitive student health data.

Ryan Cloutier

Want to share a great resource? Let us know at